Return unknown for un-issued certificates. #2
Conversation
…return UNKNOWN according to CA/B Forum guideline v1.1.9.
…erial to PKI_X509_OCSP_RESP_STATUS_UNAUTHORIZED.
… This is the last commit for this branch.
…nce; index.txt is potentially untrusted.
vtsingaras
force-pushed
the
unknown-serial-status
branch
from
3cfdfe6 to
7bf502a
Compare
…ode in parsing logic.
… REVOKED. You need the id-pkix-ocsp-extended-revoke updated libPKI for this. Check vtsingaras/libpki.
This requires the latest version of libPKI at vtsingaras/libpki branch: extended-revoke
Add null pointer check and fix potential null pointer deref.
|
Thanks for submitting the request. However, I am still investigating the security concerns (as per my e-mail on the mailing list). I am waiting for some replies from the PKIX mailing list about my concerns. If the security and deployment considerations will be addressed, we might add support for it and add the appropriate configuration options for enabling/disabling this mode. |
|
I should note that this patch relies on my other pull request for libPKI here: openca/libpki#3 Also I'll rework the patch to handle index.txt reloading via a signal (eg. SIGUSR1) so don't just merge it yet. |
|
Ok. Don't worry, I will review the patch before merging to be sure there are Cheers, On 11/13/14, 8:03 PM, Vyronas Tsingaras wrote:
|
CA/B Forum guideline v1.1.9 (since v1.0.3) Section 13.2.6 demands that an OCSP responder should not return GOOD to a request about an unrecognized serial. This patch implements that by logging the unknown serial and returning UNKNOWN to the client. The serials are provided by a file that is specified in the CA configuration. A timeout option is supplied to reload the file each 'timeout' seconds. The serials file must be in the OpenSSL CA Database format (index.txt).